Conventionally, there have been recording devices to record data in in-vehicle systems. Those recording devices include a function of recording video data that is filmed by a camera into a recording medium such as a hard disk drive (HDD) and an SD card as typified by a drive recorder.
Furthermore, developed has been a system that collects data output from an electronic control unit (ECU) installed in an in-vehicle system, and records the data to a server outside the vehicle as a log.
In the conventional technologies, however, it is not assumed that the in-vehicle system is connected to an external device via a network and is attacked from a malicious external device, and that a malicious device and a computer program are being present inside the in-vehicle system. Thus, the threats in which, by an attacker or a malicious user, the data that is recorded in the recording medium is illegitimately acquired, illegitimately altered, and illegitimately erased have not been dealt with.
Moreover, developed has been a scheme that detects an abnormality that has occurred inside an in-vehicle system, and a failure in verification processing on security, and records them into a log. Even in this case, however, it is not assumed that the data recorded in the recording medium is illegitimately manipulated by an illegitimate module or an illegitimate program inside the in-vehicle system. Thus, even when a security incident has occurred, a specific implementation method to leave the traces thereof has not been disclosed.
Furthermore, the data that the ECU outputs contains know-how of an original equipment manufacturer (OEM), and thus the data can be a subject of protection for the OEM. For example, desired is a scheme in which all the data that the ECU output and stored in the in-vehicle system are disclosed to the OEM itself or to a third party that the OEM permitted such as an insurance company and a legal institution such as a court, while preventing the acquisition and analysis of the data for general users and for competitors of the OEMs, or partially disclosing the stored data publicly. However, its specific implementation method has not been disclosed. From the foregoing situations, when data that the ECU outputs is stored inside the in-vehicle system, structuring a scheme that is capable of limiting the output of the data depending on its purpose while protecting the data to store is desired.